I have configured database monitor and setted two access rules in its context. By the log messages below keep annoying me:
/etc/openldap/slapd.conf: line 110: warning: cannot assess the validity of the ACL scope within backend naming context Backend ACL: access to dn.subtree="cn=monitor" by dn.base="cn=oldap,dc=ufv,dc=br" read by * none
Backend ACL: access to * by * none
/etc/openldap/slapd.conf: line 123: warning: cannot assess the validity of the ACL scope within backend naming context Backend ACL: access to * by * none
config_back_db_open: line 0: warning: cannot assess the validity of the ACL scope within backend naming context slapd starting
How may i "fix" that. (Altough i used the word "fix", i know it is not a error message).
Thanks in advance
I have configured database monitor and setted two access rules in its context. By the log messages below keep annoying me:
/etc/openldap/slapd.conf: line 110: warning: cannot assess the validity of the ACL scope within backend naming context Backend ACL: access to dn.subtree="cn=monitor" by dn.base="cn=oldap,dc=ufv,dc=br" read by * none
Backend ACL: access to * by * none
Remove this rule. It's pleonastic (never used) because, as the message says, it's outside the naming context. All data within the naming scope is intercepted by the previous rule.
p.
/etc/openldap/slapd.conf: line 123: warning: cannot assess the validity of the ACL scope within backend naming context Backend ACL: access to * by * none
config_back_db_open: line 0: warning: cannot assess the validity of the ACL scope within backend naming context slapd starting
How may i "fix" that. (Altough i used the word "fix", i know it is not a error message).
Thanks in advance
So what should be the rules for monitor database? I don't want my users looking up in my openldap server status. May you provide rules for the monitor database?
Thanks
On Tue, Jul 5, 2011 at 6:03 PM, masarati@aero.polimi.it wrote:
I have configured database monitor and setted two access rules in its context. By the log messages below keep annoying me:
/etc/openldap/slapd.conf: line 110: warning: cannot assess the validity of the ACL scope within backend naming context Backend ACL: access to dn.subtree="cn=monitor" by dn.base="cn=oldap,dc=ufv,dc=br" read by * none
Backend ACL: access to * by * none
Remove this rule. It's pleonastic (never used) because, as the message says, it's outside the naming context. All data within the naming scope is intercepted by the previous rule.
p.
/etc/openldap/slapd.conf: line 123: warning: cannot assess the validity of the ACL scope within backend naming context Backend ACL: access to * by * none
config_back_db_open: line 0: warning: cannot assess the validity of the ACL scope within backend naming context slapd starting
How may i "fix" that. (Altough i used the word "fix", i know it is not a error message).
Thanks in advance
Now i am really confused. I removed database monitor section with all its access rules.
Here it my slapd.conf (only access rules parts):
access to dn.one="ou=appsrv,dc=ufv,dc=br" attrs=userpassword by self read by anonymous auth by * none
access to dn.one="ou=appsrv,dc=ufv,dc=br" by self read by * none
access to dn.one="ou=people,dc=ufv,dc=br" attrs=userpassword by self read by anonymous auth by * none
access to dn.one="ou=people,dc=ufv,dc=br" by self read by dn.exact="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read by * none
access to dn.base="ou=people,dc=ufv,dc=br" attrs=entry by dn.exact="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read by * none
access to dn.one="ou=group,dc=ufv,dc=br" by dn.exact="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read by * none
access to dn.base="ou=group,dc=ufv,dc=br" attrs=entry by dn.exact="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read by * none
Here is what i got from slapd output log:
@(#) $OpenLDAP: slapd 2.4.23 (Jun 28 2011 17:55:44) $ @gustav.cpd.ufv.br:/usr/ports/pobj/openldap-2.4.23/build-amd64/servers/slapd Backend ACL: access to dn.one="ou=appsrv,dc=ufv,dc=br" attrs=userpassword by self read by anonymous auth by * none
Backend ACL: access to dn.one="ou=appsrv,dc=ufv,dc=br" by self read by * none
Backend ACL: access to dn.one="ou=people,dc=ufv,dc=br" attrs=userpassword by self read by anonymous auth by * none
Backend ACL: access to dn.base="ou=people,dc=ufv,dc=br" attrs=entry by dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read by * none
Backend ACL: access to dn.one="ou=group,dc=ufv,dc=br" by dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read by * none
Backend ACL: access to dn.base="ou=group,dc=ufv,dc=br" attrs=entry by dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read by * none
Backend ACL: access to * by * none
config_back_db_open: line 0: warning: cannot assess the validity of the ACL scope within backend naming context bdb_monitor_db_open: monitoring disabled; configure monitor database to enable slapd starting
As you can see i have no access rule (access to * by * none) and it (the rule) insists in appearing in the log, why?
Backend ACL: access to * by * none
config_back_db_open: line 0: warning: cannot assess the validity of the ACL scope within backend naming context
Read carefully: it's back-config that implicitly instantiates that rule, so it has nothing to do with back-monitor. Moreover, the message only pops up when you enable ACL logging, which is only useful for debugging. Only enable it when needed, and the message will disappear.
p.
Am Tue, 5 Jul 2011 19:33:05 -0300 schrieb Friedrich Locke friedrich.locke@gmail.com:
So what should be the rules for monitor database? I don't want my users looking up in my openldap server status. May you provide rules for the monitor database?
Thanks
On Tue, Jul 5, 2011 at 6:03 PM, masarati@aero.polimi.it wrote:
I have configured database monitor and setted two access rules in its context. By the log messages below keep annoying me:
/etc/openldap/slapd.conf: line 110: warning: cannot assess the validity of the ACL scope within backend naming context Backend ACL: access to dn.subtree="cn=monitor" by dn.base="cn=oldap,dc=ufv,dc=br" read by * none
Backend ACL: access to * by * none
Remove this rule. It's pleonastic (never used) because, as the message says, it's outside the naming context. All data within the naming scope is intercepted by the previous rule.
p.
/etc/openldap/slapd.conf: line 123: warning: cannot assess the validity of the ACL scope within backend naming context Backend ACL: access to * by * none
config_back_db_open: line 0: warning: cannot assess the validity of the ACL scope within backend naming context slapd starting
How may i "fix" that. (Altough i used the word "fix", i know it is not a error message).
Declare the access rules within the context of the monitor database.
dn:olcDatabase=monitor,cn=config olcAccess: to dn.subtree=cn=monitor by users read
-Dieter
openldap-technical@openldap.org
-
Dieter Kluenter -
Friedrich Locke -
masarati@aero.polimi.it